On 31/12/2019 11:16, Bardot Jérôme wrote: > On 31/12/2019 11:28, Denis Roio wrote:
>> dear devs,
>> today I stumbled on this message
>> https://twitter.com/tamatsu_tme/status/1211558102098538498 >>
>> roughly translates to:
>> Well, the timestamp of the official iso image file of devuan 2.1 ASCII
>> changed just the other day (December 21), and the checksum of SHA256
>> has changed, I wonder what happened. I want you to stop updating in
>> the same version, i want you to make it 2.1.1 if you update something
>> even if it is content compatible.
>> is this the case? anyone knows?
>> in case yes then it would be good to issue a notice in the README or
>> so, I agree that on official releases any minimum change should be
>> reflected in versioning.
And the versioning should extend down to the package\binary itself.
This is one of the major contributing factors to why I refuse to use
Ubuntu based Distros. They patch a binary but do not change it's revision
or they change a version so it no longer matches it' upstream version.
CVE nightmare, manually check summing every file on a system is expensive
and whilst can show it was not tampered with, does nothing to indicate
its source origins. This would be a killer to Devuan for me.
Do not underestimate the importance of maintaining proper versions\revisions.
Systems Administrators need to be able to demonstrate "Due Diligence" to
contribute towards fireproofing their underwear.
This message was posted to the following mailing lists: